The Discovery of a bug in Apple HomeKit back in August 2021 has only recently made its way into the public, and yet more than half a year has passed without any fix in sight. What are denial-of-service attacks, how does the new bug work, and what does this teach engineers regarding unexpected inputs?

What are Denial-of-Service (DoS) attacks?

Denial-of-Service attacks, often abbreviated to DoS, are attacks whose primary purpose is to prevent the regular operation of a service such that other users cannot access it (hence, denial of service). DoS attacks are prevalent against major websites such as Twitter, Facebook, and Amazon. Such an attack relies on many clients sending a huge amount of requests in a very short period. It is shockingly simple to perform a DoS attack as each client merely needs to use up its own internet bandwidth on sending bogus requests at a remote server. When performing a DoS on a website or web service, the biggest challenge is getting enough client machines to perform the attack in unison.

But what is the point of a DoS attack? If the sole purpose is to prevent a service from being accessible, then a DoS attack makes sense (for example, a cyber-protester against a tech giant). Such attacks can also be directed towards financial institutions such as banks, and this can cause service providers to lose money. Another potential use of DoS attacks is against a foreign nation during times of war; a DoS attack against a military network could render internal communication unusable while simultaneously disrupting military organisations.

Apple HomeKit DoS bug

Apple HomeKit is a platform that helps Apple users control various IoT devices around their house from a single app. Examples of devices that can be controlled from HomeKit include garage doors, locks, lights, sockets, and thermostats.

However, a new bug was discovered in Apple HomeKit in August 2021, but it has only recently come to light. Essentially, the bug causes Apple devices to indefinitely crash and freeze after adding a device whose name exceeds 500,000 characters long.

What makes the bug worse is that devices that freeze can be restarted but then immediately become unresponsive. There is no method for a user to remove the device from their HomeKit via a frozen device, and a device needs to be completely factory reset. To make matters worse, Apple iCloud is used to backup devices on the network, and this means that fixed devices that restore settings from the cloud refreeze.

Despite being found over 6 months ago, the problem is still yet to be solved. Exploits made by cybercriminals are most likely in the form of an invitation rather than adding devices via an app. Furthermore, this attack would only be DoS and not give the attacker access to private data.

What does this bug teach about unexpected inputs?

This bug is most likely a result of some software routine not checking the input size or not setting a limit on how long a string can be. If this is the case, it could be similar to the Heartbleed bug that affected SSL, whereby an attacker can get private data inside of RAM by asking for a response length that didn’t match what was initially sent.

Regardless of why the bug causes a crash, we can be sure that this bug is caused by a buffer overflow. Instead of the overflow causing a system interrupt and killing the process, it could be a hardcoded issue in the OS where the buffer overflow runs into the memory space of other active programs.

To prevent such incidences, designers must always sanitise data from unknown sources. Such sanitisation includes checking the string length, checking for illegal characters, and ensuring that inputs are properly terminated. Inputs can also be checked for integrity whereby only complete messages (those that have both start and end frames) are processed.